PC Malware Handling

 Security, Working Notes  No Responses »
Jun 182011
 

This is a series of notes on dealing with PC malware (viruses, worms and the like) gathered because I’m looking into it and published as a way of reminding myself about this stuff. Bear in mind that I’m not an expert but neither am I a complete dunce – I’m normally a Unix or Linux person but I’ve been keeping half an eye on Windows infections for years.

Some links to tools are contained within. However you should be aware that tool recommendations change over time; you will need to check how outdated this document is before following any recommendations blindly.

At present this blog entry is a work in progress … lots of testing needs to be done before being confident this is right.

Cleanup Process

This is not :-

  1. How to approach this forensically – if you’re dealing with an investigation, it’s a whole other ball game and you probably need professional assistance to avoid corrupting evidence.
  2. A technical guide as to which tools to use.

1. For The Ultra Cautious Or When Handling Real Important Data

The process of removal can be destructive, and in the worst cases you can end up cleaning the malware and ending up with a brick. So make an image of the hard disk as it is. Two basic ways this can be done :-

  1. Removing the hard disk from the infected machine, attaching to an appropriate machine (USB->SATA, USB->IDE converters are handy here), and making an image of the disk.
  2. Booting off a “rescue” CD on the infected machine, and imaging the hard disk to a network share of some kind. This is the preferred option.

This will be slow. So be it. Cleaning an infected PC is not going to be a quick job whatever you do. The best you can hope for is that there are many periods where you can leave it churning away and get on with something else.

2. Boot A Rescue CD

There are those who tell you that there is no need to boot off a known uninfected disk to clean an infected machine; their anti-malware/virus product can clean an infected machine “live”. There are others who claim that the only way to be sure is to boot off that disk and clean the machine that way. Both are wrong.

If you are paranoid (and in the presence of malware paranoia is fully justifiable), you will do both.

3. Boot Infected Machine and Clean

As suggested previously after booting off a rescue disk and cleaning, boot the infected machine and clean again.

Tools

The following is a list of rescue CD’s that have been suggested :-

  • UBD4Win. Has to be “built” with the assistance of an XP installation; somewhat tedious but it isn’t the end of the world. However it does need preparing in advance – building a rescue CD with the assistance of an infected machine isn’t the most sensible idea!
  • Knoppix. Graphical, pretty, feature packed, but seems to be lacking in anti-malware tools (for instance the only AV tool included is Clam).
  • Trinity Rescue Disk. Menu interface. Virus definitions update over the net; choice of Clam, F-Prot, Bitdefender, Vexira, AVast (need to obtain license key). Various other utilities.
  • F-Secure Rescue CD.

Some of the above are Windows based; some are Linux based. The choice of which to use should be based on results not whether they tickle your prejudices (or mine!).

The following is a list of “live” tools to be installed that have been suggested :-

Asides

Nothing to do with the main subject. Merely some notes worth mentioning.

It seems that at least some malware can detect it is running within a virtual environment. In some cases it ceases to do anything, and in others may try to “break out”. This indicates that analysing malware within a virtual environment may not give sensible results, and in some cases may be dangerous! That is not to say that using a virtual environment is no longer of any use, but you may need to take special case such as running the virtual environment under Linux and/or ESX rather than Windows. And be careful about negative results.

Where Are The Multi-User Slates ?

 Computing, Security  No Responses »
Jun 152011
 

.. or to give them the more popular name, tablets.

What is the one thing all slates (whatever the usual choice of operating system) are missing? Support for multiple users.

Whilst there have been and are slates based on desktop operating systems, the only ones that have gained any level of popularity are based around operating systems for mobile phones – principally iOS and Android. And for some reason, these do not have support for multiple users which is sort of understandable for mobile phones but it is definitely a weakness for slates.

Imagine if you will, that you have bought a slate and setup the details for your work email, and are busily exchanging emails with someone who insists on being called “Bubbles” and you are engaged in a bit of harmless flirtation. Now you plonk your slate down on the coffee table, and your partner picks it up to play with; of course they end up looking at your latest email from “Bubbles”.

Or in the morning, you rescue your slate from the resident teenager wandering around the house under an angry cloud. You’re in a hurry and don’t check the slate until you wire it up to a projector to show those figures you were working on last night. And this is when you discover (to the amusement of the collective senior managers) that your pet teenager has replaced the default background image with an image of their favourite teenage idol in a scantily clad pose.

Now both of those examples were extreme and intentionally a bit humorous, but the problem is genuine. Even if you are single and excessively possessive about your slate, having a user called “work” and another called “play” allows you to hide one activity from the other. Not a bad idea to keep the games hidden from your boss!

Add a “demo” user and you can hand your slate to a fellow worker or friend to let them have a look at your slate without the risk of them discovering something they shouldn’t.

The mistake the manufacturers have made is assuming that a slate is a single user device. In practice, everyone wants a go and unless you have really big pockets and carry it around everywhere with you, people will pick it up and use it. The ‘net is full of stories about geeks who bought a slate, and wound up with their partner using it more than they do. And not always through choice!

It appears that I’m not the only one who thinks this would be a really good feature.

Corporate Cloud Computing Dangers

 Computing, Security  2 Responses »
Apr 152011
 

I recently read some of the papers linked to from Andrew Cormack’s blog entry on the legal dangers of cloud computing, which made for interesting reading. And caused me to do some thinking. Whilst the legal aspects of cloud computing are complex and need to be examined (it would make things a great deal easier if there was an “Internet Nation” with it’s own laws), one of the dangers most obvious to me is an old danger to corporate computing with a cloud computing twist.

The old danger itself is what happens when non-IT specialists setup their own servers. Such servers are rarely physically secured properly (allowing data to be stolen), are often poorly backed up, and are sometimes even setup with old retired desktop machines. The dangers are obvious, although those who set them up are rarely aware that installing a server is only a tiny part of the work involved in maintaining a service.

Cloud computing offers similar dangers. An organisation that signs up to a cloud-based service is almost certainly going to get a suitable contract that covers many possible concerns, but an individual within that organisation may sign up to a cloud service with the defaults terms of service aimed at the consumer. Some of the dangers are :-

  1. If that individual makes use of their cloud service in a way that is important to the organisation, how do those responsible for IT services assess the risk of it when they are not aware that it is being used ?
  2. Does that cloud service offer a service level agreement sufficient to protect the organisation? Most consumer grade cloud services can withdraw that service or change the terms of that service without notice at any time. They also rarely commit to protect any data held on the cloud, or offer any guarantees of availability. Or confidentiality.
  3. A consumer using a cloud service is protected to some extent by consumer law. An individual within an organisation using a cloud service for their work, may well not be protected at all. Organisations are usually protected by contract law – when a contract exists!

 

Network Block Depreciation

 Computing, Security  No Responses »
Apr 142011
 

This is one of those things that I was under the impression was widely understood (at least amongst a certain specialist population of IT people), but apparently not.  As anyone who has ever paid extra for a static IP address, a network block has some notional monetary value. To give you an idea of how much, a quick search shows that a certain ISP (it doesn’t matter which one) charges $2.50 per month for a static IP address.

The scales up to a value of $637 for a /24 network block, $163,000 for a /16 network block, and $41 million for a /8 network block. These values are of course wildly unrealistic given that network blocks can’t be sold (or at least not usually, although I do know people who have sold them). But let’s assume they do have a monetary value – after all with the starvation of IP addresses it is not impossible that network blocks could be traded.

Physical objects are subject to depreciation to represent the declining value to the organisation – a 10 year old server may eventually have an interest to a museum, but an organisation is likely to realise that it makes more sense to replace it.

Network blocks are also subject to depreciation although it is not time dependent but depends on what use is made of that network block. If we assume that network block A has been assigned to a bunch of unrepentant scamming spammers, what is likely to happen ? Well as spam floods their networks and servers, network administrators and system administrators will start to block addresses within network block A.

Some of the blocklists are collectively run, but some are run by individual organisations. In the later case you cannot ensure that these will ever be removed. As a network block gradually acquires more and more entries in numerous blocklists around the world, it becomes of less use to those who want to use it. It decreases in value.

Similarly when a network block (let’s call it “B”) is used for a collection of workstations run by users whose interest does not extend to keeping their machines secure, it will be populated by machines infected with various forms of malware. As such, it is also subject to being cast into the blocklists of the world. In most cases, the users will not notice, but if that network block ever gets reallocated to servers, those servers are subject to problems caused by historical entries in blocklists.

So each malware infection a machine is subject to has a cost associated with it – it has decreased the value of the network address it uses by a tiny amount. Over time and with enough long-lived malware infections, it is possible that a network block will have a much lower value than an unused network block.

Are eReaders A Security Risk ?

 Security  No Responses »
Jan 232011
 

Of course they are – everything is a security risk. The question should be whether ereaders pose enough of a risk to your organisation to justify taking some form of action to reduce or eliminate that risk. The risks that ereaders pose can be broken down into three areas :-

  1. Most ereaders are effectively USB memory sticks with a display on. As such the risk is much the same as with any USB stick – a malicious employee could steal data and remove it from your organisation. The countermeasures are the same too – implement a policy that prohibits the use of memory sticks from being used when plugged in.
  2. Ereaders have an additional danger in that it is far more likely for accidental leakage of confidential information. People are unlikely to carry out a paper document marked “COSMIC TOP SECRET”, but if they put such documents onto an ereader, they are far more likely to walk out the door with it through simple neglect – that ereader with the “COSMIC TOP SECRET” document on it also has the that harmless book “The Girl With The Dragon Tattoo” that I am reading in my spare time.
  3. Many ereaders (such as Amazon’s Kindle) device have a way of sending documents to the device over email – you email a special address on the supplier’s mail servers, and it trickles down to the ereader. Pretty convenient for the user, but not only does it make the leakage of information easier, but you also have to worry about how secure the supplier’s mail servers are.

If you need a certain level of security, that all makes it seem like ereaders should be banned at your organisation. That would be a shame because they can be useful – everyone knows how much paper can be wasted printing discussion documents and reports so they can be referred to in a meeting. An ereader means you can carry that pile of paper around far easier.

Rather than simply ban ereaders, simply provide them for the workers to use. And ban them from going offsite. Security is more palatable if it is served with a smile.

 Newer Entries